Communication between Nine and the remote Exchange ActiveSync service may happen when the victim opens his or her phone, when an email is received (and push is enabled), or when the phone polls the remote service. From that point on, the attacker would merely wait for a Nine user to come within range of the rogue WAP. The attacker could funnel HTTPS traffic to mitmproxy which serves self-signed certificates from an otherwise invalid certificate authority (CA). In one scenario, an attacker may setup a WAP in a backpack broadcasting a well-known SSID, such as "Starbucks," bridged to a 3G/4G mobile data connection. Attacks can be trivialized in open wireless environments, or by WiFi stalking unsuspecting Nine users with a rogue wireless access point (WAP herein) to trick the mobile device into connecting to an attacker-controlled network. ExploitationĪn attacker in a privileged position within the same network as the mobile device running Nine can man-in-the-middle (MitM) traffic to the remote Exchange server (such as in the case of outlook365 corporate email). At the time of writing, Nine is listed in the Google Play store with 500,000 - 1,000,000 installs. The Nine mobile application for Android is a Microsoft Exchange client that allows users to synchronize their corporate email, tasks, and calendar entries to Android-based devices (phones, tablets, etc.). Creditĭiscovered by Derek Abdine of Rapid7, Inc., and disclosed in accordance with Rapid7's disclosure policy. Octoupdate: Version 3.1.0 was released by the vendor to address these issues.
This issue presents itself regardless of SSL/TLS trust settings within the Nine server settings panel.
Due to a lack of certificate validation with a configured remote Microsoft Exchange server, Nine leaks associated Microsoft Exchange user credentials, mail envelopes and their attachments, mailbox synchronization information, calendar entries and tasks.
0 kommentar(er)
